From 29ae715b91c1821bcacabd37f61bd6794a475167 Mon Sep 17 00:00:00 2001 From: Scott Fleener Date: Wed, 4 Dec 2024 16:25:36 +0000 Subject: [PATCH 1/4] chore(deps): Upgrade tokio-rustls to 0.26 This bumps rustls itself from 0.21 to 0.23, which comes with a few breaking API changes. Most of these are limited to types being moved or renamed, or how the certificate verifiers are constructed. Signed-off-by: Scott Fleener --- Cargo.lock | 119 ++++++++++-------- Cargo.toml | 1 + linkerd/app/integration/Cargo.toml | 4 +- linkerd/app/integration/src/client.rs | 10 +- linkerd/app/integration/src/identity.rs | 61 +++++---- linkerd/app/outbound/Cargo.toml | 2 +- linkerd/app/outbound/src/tls/logical/tests.rs | 33 ++++- linkerd/meshtls/rustls/Cargo.toml | 5 +- linkerd/meshtls/rustls/src/client.rs | 13 +- linkerd/meshtls/rustls/src/creds.rs | 29 +++-- linkerd/meshtls/rustls/src/creds/receiver.rs | 22 ++-- linkerd/meshtls/rustls/src/creds/store.rs | 54 ++++---- linkerd/meshtls/rustls/src/creds/verify.rs | 65 +++++++--- linkerd/meshtls/rustls/src/server.rs | 4 +- 14 files changed, 263 insertions(+), 159 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 453c2f0a28..867d219f0b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -62,9 +62,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.94" +version = "1.0.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1fd03a028ef38ba2276dce7e33fcd6369c158a1bca17946c4b1b701891c1ff7" +checksum = "4c95c10ba0b00a02636238b814946408b1322d5ac4760326e6fb8ec956d85775" [[package]] name = "arbitrary" @@ -317,9 +317,9 @@ checksum = "9ac0150caa2ae65ca5bd83f25c7de183dea78d4d366469f148435e2acfbad0da" [[package]] name = "cc" -version = "1.2.2" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f34d93e62b03caf570cccc334cbc6c2fceca82f39211051345108adcba3eebdc" +checksum = "fd9de9f2205d5ef3fd67e685b0df337994ddd4495e2a28d185500d0e1edfea47" dependencies = [ "jobserver", "libc", @@ -540,9 +540,9 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.10" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d" +checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" dependencies = [ "libc", "windows-sys 0.52.0", @@ -807,7 +807,7 @@ dependencies = [ "futures-sink", "futures-util", "http", - "indexmap 2.7.0", + "indexmap 2.6.0", "slab", "tokio", "tokio-util", @@ -942,9 +942,9 @@ checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" [[package]] name = "hyper" -version = "0.14.31" +version = "0.14.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c08302e8fa335b151b788c775ff56e7a03ae64ff85c548ee820fecb70356e85" +checksum = "bf96e135eb83a2a8ddf766e426a841d8ddd7449d5f00d34ea02b41d2f19eef80" dependencies = [ "bytes", "futures-channel", @@ -1150,9 +1150,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.7.0" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f" +checksum = "707907fe3c25f5424cce2cb7e1cbcafee6bdbe735ca90ef77c29e84591e5b9da" dependencies = [ "equivalent", "hashbrown 0.15.0", @@ -1255,9 +1255,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.167" +version = "0.2.165" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09d6582e104315a817dff97f75133544b2e094ee22447d2acf4a74e189ba06fc" +checksum = "fcb4d3d38eab6c5239a362fa8bae48c03baf980a6e7079f063942d563ef3533e" [[package]] name = "libfuzzer-sys" @@ -1271,12 +1271,12 @@ dependencies = [ [[package]] name = "libloading" -version = "0.8.6" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34" +checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", - "windows-targets 0.48.5", + "windows-targets 0.52.0", ] [[package]] @@ -1986,7 +1986,6 @@ dependencies = [ "linkerd-tls-test-util", "ring", "rustls-pemfile", - "rustls-webpki", "thiserror", "tokio", "tokio-rustls", @@ -2088,7 +2087,7 @@ dependencies = [ "ahash", "futures", "futures-util", - "indexmap 2.7.0", + "indexmap 2.6.0", "linkerd-error", "linkerd-metrics", "linkerd-pool", @@ -2807,10 +2806,11 @@ dependencies = [ [[package]] name = "mio" -version = "1.0.3" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd" +checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec" dependencies = [ + "hermit-abi", "libc", "wasi", "windows-sys 0.52.0", @@ -2946,16 +2946,16 @@ dependencies = [ [[package]] name = "opentelemetry" -version = "0.27.1" +version = "0.27.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab70038c28ed37b97d8ed414b6429d343a8bbf44c9f79ec854f3a643029ba6d7" +checksum = "0f3cebff57f7dbd1255b44d8bddc2cebeb0ea677dbaa2e25a3070a91b318f660" dependencies = [ "futures-core", "futures-sink", "js-sys", + "once_cell", "pin-project-lite", "thiserror", - "tracing", ] [[package]] @@ -2971,13 +2971,15 @@ dependencies = [ [[package]] name = "opentelemetry_sdk" -version = "0.27.1" +version = "0.27.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "231e9d6ceef9b0b2546ddf52335785ce41252bc7474ee8ba05bfad277be13ab8" +checksum = "27b742c1cae4693792cc564e58d75a2a0ba29421a34a85b50da92efa89ecb2bc" dependencies = [ + "async-trait", "futures-channel", "futures-executor", "futures-util", + "once_cell", "opentelemetry", "percent-encoding", "rand", @@ -3042,7 +3044,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db" dependencies = [ "fixedbitset", - "indexmap 2.7.0", + "indexmap 2.6.0", ] [[package]] @@ -3426,32 +3428,42 @@ dependencies = [ [[package]] name = "rustls" -version = "0.21.12" +version = "0.23.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e" +checksum = "934b404430bb06b3fae2cba809eb45a1ab1aecd64491213d7c3301b88393f8d1" dependencies = [ "log", + "once_cell", "ring", + "rustls-pki-types", "rustls-webpki", - "sct", + "subtle", + "zeroize", ] [[package]] name = "rustls-pemfile" -version = "1.0.4" +version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1c74cae0a4cf6ccbbf5f359f08efdf8ee7e1dc532573bf0db71968cb56b1448c" +checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50" dependencies = [ - "base64 0.21.7", + "rustls-pki-types", ] +[[package]] +name = "rustls-pki-types" +version = "1.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b" + [[package]] name = "rustls-webpki" -version = "0.101.7" +version = "0.102.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" +checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9" dependencies = [ "ring", + "rustls-pki-types", "untrusted", ] @@ -3473,16 +3485,6 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49" -[[package]] -name = "sct" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" -dependencies = [ - "ring", - "untrusted", -] - [[package]] name = "semver" version = "1.0.23" @@ -3585,9 +3587,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "socket2" -version = "0.5.8" +version = "0.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8" +checksum = "ce305eb0b4296696835b71df73eb912e0f1ffd2556a501fcede6e0c50349191c" dependencies = [ "libc", "windows-sys 0.52.0", @@ -3625,6 +3627,12 @@ version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3" +[[package]] +name = "subtle" +version = "2.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" + [[package]] name = "symbolic-common" version = "12.12.3" @@ -3650,9 +3658,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.90" +version = "2.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "919d3b74a5dd0ccd15aeb8f93e7006bd9e14c295087c9896a110f490752bcf31" +checksum = "44d46482f1c1c87acd84dea20c1bf5ebff4c757009ed6bf19cfd36fb10e92c4e" dependencies = [ "proc-macro2", "quote", @@ -3787,9 +3795,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.42.0" +version = "1.41.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5cec9b21b0450273377fc97bd4c33a8acffc8c996c987a7c5b319a0083707551" +checksum = "22cfb5bee7a6a52939ca9224d6ac897bb669134078daa8735560897f69de4d33" dependencies = [ "backtrace", "bytes", @@ -3849,11 +3857,12 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.24.1" +version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" +checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" dependencies = [ "rustls", + "rustls-pki-types", "tokio", ] @@ -4488,6 +4497,12 @@ dependencies = [ "synstructure", ] +[[package]] +name = "zeroize" +version = "1.8.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde" + [[package]] name = "zerovec" version = "0.10.4" diff --git a/Cargo.toml b/Cargo.toml index ff1dfef78a..5ae61e2c83 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -98,4 +98,5 @@ lto = true [workspace.dependencies] linkerd2-proxy-api = "0.15.0" +tokio-rustls = { version = "0.26", default_features = false, features = ["ring", "logging"] } # linkerd2-proxy-api = { git = "https://github.com/linkerd/linkerd2-proxy-api.git", branch = "main" } diff --git a/linkerd/app/integration/Cargo.toml b/linkerd/app/integration/Cargo.toml index d9a43173a4..1e9118cc69 100644 --- a/linkerd/app/integration/Cargo.toml +++ b/linkerd/app/integration/Cargo.toml @@ -46,8 +46,8 @@ regex = "1" socket2 = "0.5" tokio = { version = "1", features = ["io-util", "net", "rt", "macros"] } tokio-stream = { version = "0.1", features = ["sync"] } -tokio-rustls = "0.24" -rustls-pemfile = "1.0" +tokio-rustls = { workspace = true } +rustls-pemfile = "2.2" tower = { version = "0.4", default-features = false } tonic = { version = "0.10", features = ["transport"], default-features = false } tracing = "0.1" diff --git a/linkerd/app/integration/src/client.rs b/linkerd/app/integration/src/client.rs index ed5c5763f3..5351d1ca60 100644 --- a/linkerd/app/integration/src/client.rs +++ b/linkerd/app/integration/src/client.rs @@ -2,8 +2,7 @@ use super::*; use linkerd_app_core::proxy::http::TracingExecutor; use parking_lot::Mutex; use std::io; -use tokio::net::TcpStream; -use tokio::task::JoinHandle; +use tokio::{net::TcpStream, task::JoinHandle}; use tokio_rustls::rustls::{self, ClientConfig}; use tracing::info_span; @@ -15,12 +14,13 @@ type Sender = mpsc::UnboundedSender<(Request, oneshot::Sender, - name: rustls::ServerName, + name: rustls::pki_types::ServerName<'static>, } impl TlsConfig { - pub fn new(client_config: Arc, name: &str) -> Self { - let name = rustls::ServerName::try_from(name).expect("name must be a valid DNS name"); + pub fn new(client_config: Arc, name: &'static str) -> Self { + let name = + rustls::pki_types::ServerName::try_from(name).expect("name must be a valid DNS name"); TlsConfig { client_config, name, diff --git a/linkerd/app/integration/src/identity.rs b/linkerd/app/integration/src/identity.rs index f2ba49766c..afc373852b 100644 --- a/linkerd/app/integration/src/identity.rs +++ b/linkerd/app/integration/src/identity.rs @@ -8,7 +8,7 @@ use std::{ }; use linkerd2_proxy_api::identity as pb; -use tokio_rustls::rustls; +use tokio_rustls::rustls::{self, pki_types::CertificateDer, server::WebPkiClientVerifier}; use tonic as grpc; pub struct Identity { @@ -36,7 +36,7 @@ type Certify = Box< static TLS_VERSIONS: &[&rustls::SupportedProtocolVersion] = &[&rustls::version::TLS13]; static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = - &[rustls::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256]; + &[rustls::crypto::ring::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256]; struct Certificates { pub leaf: Vec, @@ -50,11 +50,17 @@ impl Certificates { { let f = fs::File::open(p)?; let mut r = io::BufReader::new(f); - let mut certs = rustls_pemfile::certs(&mut r) + let mut certs = rustls_pemfile::certs(&mut r); + let leaf = certs + .next() + .expect("no leaf cert in pemfile") + .map_err(|_| io::Error::new(io::ErrorKind::Other, "rustls error reading certs"))? + .as_ref() + .to_vec(); + let intermediates = certs + .map(|cert| cert.map(|cert| cert.as_ref().to_vec())) + .collect::, _>>() .map_err(|_| io::Error::new(io::ErrorKind::Other, "rustls error reading certs"))?; - let mut certs = certs.drain(..); - let leaf = certs.next().expect("no leaf cert in pemfile"); - let intermediates = certs.collect(); Ok(Certificates { leaf, @@ -62,11 +68,14 @@ impl Certificates { }) } - pub fn chain(&self) -> Vec { + pub fn chain(&self) -> Vec> { let mut chain = Vec::with_capacity(self.intermediates.len() + 1); chain.push(self.leaf.clone()); chain.extend(self.intermediates.clone()); - chain.into_iter().map(rustls::Certificate).collect() + chain + .into_iter() + .map(rustls::pki_types::CertificateDer::from) + .collect() } pub fn response(&self) -> pb::CertifyResponse { @@ -79,43 +88,49 @@ impl Certificates { } impl Identity { - fn load_key

(p: P) -> rustls::PrivateKey + fn load_key

(p: P) -> rustls::pki_types::PrivateKeyDer<'static> where P: AsRef, { let p8 = fs::read(&p).expect("read key"); - rustls::PrivateKey(p8) + rustls::pki_types::PrivateKeyDer::try_from(p8).expect("decode key") } fn configs( trust_anchors: &str, certs: &Certificates, - key: rustls::PrivateKey, + key: rustls::pki_types::PrivateKeyDer<'static>, ) -> (Arc, Arc) { use std::io::Cursor; let mut roots = rustls::RootCertStore::empty(); - let trust_anchors = - rustls_pemfile::certs(&mut Cursor::new(trust_anchors)).expect("error parsing pemfile"); - let (added, skipped) = roots.add_parsable_certificates(&trust_anchors[..]); + let trust_anchors = rustls_pemfile::certs(&mut Cursor::new(trust_anchors)) + .map(|bytes| bytes.map(CertificateDer::from)) + .collect::, _>>() + .expect("error parsing pemfile"); + let (added, skipped) = roots.add_parsable_certificates(trust_anchors); assert_ne!(added, 0, "trust anchors must include at least one cert"); assert_eq!(skipped, 0, "no certs in pemfile should be invalid"); - let client_config = rustls::ClientConfig::builder() - .with_cipher_suites(TLS_SUPPORTED_CIPHERSUITES) - .with_safe_default_kx_groups() + let mut provider = rustls::crypto::ring::default_provider(); + provider.cipher_suites = TLS_SUPPORTED_CIPHERSUITES.to_vec(); + let provider = Arc::new(provider); + + let client_config = rustls::ClientConfig::builder_with_provider(provider.clone()) .with_protocol_versions(TLS_VERSIONS) .expect("client config must be valid") .with_root_certificates(roots.clone()) .with_no_client_auth(); - let server_config = rustls::ServerConfig::builder() - .with_cipher_suites(TLS_SUPPORTED_CIPHERSUITES) - .with_safe_default_kx_groups() + let client_cert_verifier = + WebPkiClientVerifier::builder_with_provider(Arc::new(roots), provider.clone()) + .allow_unauthenticated() + .build() + .expect("server verifier must be valid"); + + let server_config = rustls::ServerConfig::builder_with_provider(provider) .with_protocol_versions(TLS_VERSIONS) .expect("server config must be valid") - .with_client_cert_verifier(Arc::new( - rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(roots), - )) + .with_client_cert_verifier(client_cert_verifier) .with_single_cert(certs.chain(), key) .unwrap(); diff --git a/linkerd/app/outbound/Cargo.toml b/linkerd/app/outbound/Cargo.toml index 31c258d71a..62f82cc46c 100644 --- a/linkerd/app/outbound/Cargo.toml +++ b/linkerd/app/outbound/Cargo.toml @@ -54,7 +54,7 @@ futures-util = "0.3" http-body = "0.4" hyper = { version = "0.14", features = ["deprecated", "http1", "http2"] } tokio = { version = "1", features = ["macros", "sync", "time"] } -tokio-rustls = "0.24" +tokio-rustls = { workspace = true } tokio-test = "0.4" tower-test = "0.4" diff --git a/linkerd/app/outbound/src/tls/logical/tests.rs b/linkerd/app/outbound/src/tls/logical/tests.rs index 4bde3435c0..036c3d1ae5 100644 --- a/linkerd/app/outbound/src/tls/logical/tests.rs +++ b/linkerd/app/outbound/src/tls/logical/tests.rs @@ -17,6 +17,7 @@ use std::{ time::Duration, }; use tokio::sync::watch; +use tokio_rustls::rustls::pki_types::DnsName; mod basic; @@ -171,28 +172,37 @@ fn generate_client_hello(sni: &str) -> Vec { use tokio_rustls::rustls::{ internal::msgs::{ base::Payload, + codec::{Codec, Reader}, enums::Compression, handshake::{ ClientExtension, ClientHelloPayload, HandshakeMessagePayload, HandshakePayload, - Random, SessionId, + Random, ServerName, SessionId, }, message::{MessagePayload, PlainMessage}, }, - server::DnsName, CipherSuite, ContentType, HandshakeType, ProtocolVersion, }; let sni = DnsName::try_from(sni.to_string()).unwrap(); + let sni = trim_hostname_trailing_dot_for_sni(&sni); + + let mut server_name_bytes = vec![]; + 0u8.encode(&mut server_name_bytes); // encode the type first + (sni.as_ref().len() as u16).encode(&mut server_name_bytes); // then the length as u16 + server_name_bytes.extend_from_slice(sni.as_ref().as_bytes()); // then the server name itself + + let server_name = + ServerName::read(&mut Reader::init(&server_name_bytes)).expect("Server name is valid"); let hs_payload = HandshakeMessagePayload { typ: HandshakeType::ClientHello, payload: HandshakePayload::ClientHello(ClientHelloPayload { client_version: ProtocolVersion::TLSv1_2, random: Random::from([0; 32]), - session_id: SessionId::empty(), + session_id: SessionId::read(&mut Reader::init(&[0])).unwrap(), cipher_suites: vec![CipherSuite::TLS_NULL_WITH_NULL_NULL], compression_methods: vec![Compression::Null], - extensions: vec![ClientExtension::make_sni(sni.borrow())], + extensions: vec![ClientExtension::ServerName(vec![server_name])], }), }; @@ -202,8 +212,21 @@ fn generate_client_hello(sni: &str) -> Vec { let message = PlainMessage { typ: ContentType::Handshake, version: ProtocolVersion::TLSv1_2, - payload: Payload(hs_payload_bytes), + payload: Payload::Owned(hs_payload_bytes), }; message.into_unencrypted_opaque().encode() } + +fn trim_hostname_trailing_dot_for_sni(dns_name: &DnsName<'_>) -> DnsName<'static> { + let dns_name_str = dns_name.as_ref(); + + // RFC6066: "The hostname is represented as a byte string using + // ASCII encoding without a trailing dot" + if dns_name_str.ends_with('.') { + let trimmed = &dns_name_str[0..dns_name_str.len() - 1]; + DnsName::try_from(trimmed).unwrap().to_owned() + } else { + dns_name.to_owned() + } +} diff --git a/linkerd/meshtls/rustls/Cargo.toml b/linkerd/meshtls/rustls/Cargo.toml index 5a09ea31e4..13367c5e35 100644 --- a/linkerd/meshtls/rustls/Cargo.toml +++ b/linkerd/meshtls/rustls/Cargo.toml @@ -12,11 +12,10 @@ test-util = ["linkerd-tls-test-util"] [dependencies] futures = { version = "0.3", default-features = false } ring = { version = "0.17", features = ["std"] } -rustls-pemfile = "1.0" -rustls-webpki = { version = "0.101.5", features = ["std"] } +rustls-pemfile = "2.2" thiserror = "1" tokio = { version = "1", features = ["macros", "rt", "sync"] } -tokio-rustls = { version = "0.24", features = ["dangerous_configuration"] } +tokio-rustls = { workspace = true } tracing = "0.1" linkerd-dns-name = { path = "../../dns/name" } diff --git a/linkerd/meshtls/rustls/src/client.rs b/linkerd/meshtls/rustls/src/client.rs index 962135d42d..9856d38998 100644 --- a/linkerd/meshtls/rustls/src/client.rs +++ b/linkerd/meshtls/rustls/src/client.rs @@ -6,7 +6,7 @@ use linkerd_stack::{NewService, Service}; use linkerd_tls::{client::AlpnProtocols, ClientTls, NegotiatedProtocolRef}; use std::{convert::TryFrom, pin::Pin, sync::Arc, task::Context}; use tokio::sync::watch; -use tokio_rustls::rustls::{self, ClientConfig}; +use tokio_rustls::rustls::{self, pki_types::CertificateDer, ClientConfig}; /// A `NewService` that produces `Connect` services from a dynamic TLS configuration. #[derive(Clone)] @@ -18,7 +18,7 @@ pub struct NewClient { #[derive(Clone)] pub struct Connect { server_id: id::Id, - server_name: rustls::ServerName, + server_name: rustls::pki_types::ServerName<'static>, config: Arc, } @@ -68,8 +68,9 @@ impl Connect { } }; - let server_name = rustls::ServerName::try_from(client_tls.server_name.as_str()) - .expect("identity must be a valid DNS name"); + let server_name = + rustls::pki_types::ServerName::try_from(client_tls.server_name.to_string()) + .expect("identity must be a valid DNS name"); Self { server_id: client_tls.server_id.into(), @@ -79,7 +80,7 @@ impl Connect { } } -fn extract_cert(c: &rustls::ClientConnection) -> io::Result<&rustls::Certificate> { +fn extract_cert(c: &rustls::ClientConnection) -> io::Result<&CertificateDer<'_>> { match c.peer_certificates().and_then(|certs| certs.first()) { Some(leaf_cert) => io::Result::Ok(leaf_cert), None => Err(io::Error::new(io::ErrorKind::Other, "missing tls end cert")), @@ -113,7 +114,7 @@ where let s = s?; let (_, conn) = s.get_ref(); let end_cert = extract_cert(conn)?; - verifier::verify_id(&end_cert.0, &server_id)?; + verifier::verify_id(end_cert, &server_id)?; Ok(ClientIo(s)) }), ) diff --git a/linkerd/meshtls/rustls/src/creds.rs b/linkerd/meshtls/rustls/src/creds.rs index cd8332534e..00b0d7f6a6 100644 --- a/linkerd/meshtls/rustls/src/creds.rs +++ b/linkerd/meshtls/rustls/src/creds.rs @@ -27,19 +27,22 @@ pub fn watch( roots_pem: &str, ) -> Result<(Store, Receiver)> { let mut roots = rustls::RootCertStore::empty(); - let certs = match rustls_pemfile::certs(&mut std::io::Cursor::new(roots_pem)) { - Err(error) => { - warn!(%error, "invalid trust anchors file"); - return Err(error.into()); - } - Ok(certs) if certs.is_empty() => { - warn!("no valid certs in trust anchors file"); - return Err("no trust roots in PEM file".into()); - } - Ok(certs) => certs, - }; + let mut certs = vec![]; + for cert in rustls_pemfile::certs(&mut std::io::Cursor::new(roots_pem)) { + match cert { + Err(error) => { + warn!(%error, "invalid trust anchors file"); + return Err(error.into()); + } + Ok(cert) => certs.push(cert), + }; + } + if certs.is_empty() { + warn!("no valid certs in trust anchors file"); + return Err("no trust roots in PEM file".into()); + } - let (added, skipped) = roots.add_parsable_certificates(&certs[..]); + let (added, skipped) = roots.add_parsable_certificates(certs); if skipped != 0 { warn!("Skipped {} invalid trust anchors", skipped); } @@ -115,5 +118,5 @@ mod params { rustls::SignatureAlgorithm::ECDSA; pub static TLS_VERSIONS: &[&rustls::SupportedProtocolVersion] = &[&rustls::version::TLS13]; pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = - &[rustls::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256]; + &[rustls::crypto::ring::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256]; } diff --git a/linkerd/meshtls/rustls/src/creds/receiver.rs b/linkerd/meshtls/rustls/src/creds/receiver.rs index 1c06f87c1c..fd451fbef8 100644 --- a/linkerd/meshtls/rustls/src/creds/receiver.rs +++ b/linkerd/meshtls/rustls/src/creds/receiver.rs @@ -70,10 +70,13 @@ mod tests { /// incoming handshakes, but that doesn't matter for these tests, where we /// don't actually do any TLS. fn empty_server_config() -> rustls::ServerConfig { - rustls::ServerConfig::builder() - .with_safe_defaults() - .with_client_cert_verifier(Arc::new(rustls::server::NoClientAuth)) - .with_cert_resolver(Arc::new(rustls::server::ResolvesServerCertUsingSni::new())) + rustls::ServerConfig::builder_with_provider(Arc::new( + rustls::crypto::ring::default_provider(), + )) + .with_protocol_versions(rustls::ALL_VERSIONS) + .expect("client config must be valid") + .with_client_cert_verifier(Arc::new(rustls::server::NoClientAuth)) + .with_cert_resolver(Arc::new(rustls::server::ResolvesServerCertUsingSni::new())) } /// Returns the simplest default rustls client config. @@ -82,10 +85,13 @@ mod tests { /// it doesn't trust any root certificates. However, that doesn't actually /// matter for these tests, which don't actually do TLS. fn empty_client_config() -> rustls::ClientConfig { - rustls::ClientConfig::builder() - .with_safe_defaults() - .with_root_certificates(rustls::RootCertStore::empty()) - .with_no_client_auth() + rustls::ClientConfig::builder_with_provider(Arc::new( + rustls::crypto::ring::default_provider(), + )) + .with_protocol_versions(rustls::ALL_VERSIONS) + .expect("client config must be valid") + .with_root_certificates(rustls::RootCertStore::empty()) + .with_no_client_auth() } #[tokio::test] diff --git a/linkerd/meshtls/rustls/src/creds/store.rs b/linkerd/meshtls/rustls/src/creds/store.rs index b0a692856e..44531106e8 100644 --- a/linkerd/meshtls/rustls/src/creds/store.rs +++ b/linkerd/meshtls/rustls/src/creds/store.rs @@ -1,5 +1,4 @@ -use super::params::*; -use super::InvalidKey; +use super::{params::*, InvalidKey}; use linkerd_dns_name as dns; use linkerd_error::Result; use linkerd_identity as id; @@ -7,12 +6,12 @@ use linkerd_meshtls_verifier as verifier; use ring::{rand, signature::EcdsaKeyPair}; use std::{convert::TryFrom, sync::Arc}; use tokio::sync::watch; -use tokio_rustls::rustls; +use tokio_rustls::rustls::{self, pki_types::UnixTime, server::WebPkiClientVerifier}; use tracing::debug; pub struct Store { roots: rustls::RootCertStore, - server_cert_verifier: Arc, + server_cert_verifier: Arc, server_id: id::Id, server_name: dns::Name, client_tx: watch::Sender>, @@ -20,18 +19,19 @@ pub struct Store { random: ring::rand::SystemRandom, } -#[derive(Clone)] +#[derive(Clone, Debug)] struct Key(Arc); -#[derive(Clone)] +#[derive(Clone, Debug)] struct CertResolver(Arc); pub(super) fn client_config_builder( - cert_verifier: Arc, + cert_verifier: Arc, ) -> rustls::ConfigBuilder { - rustls::ClientConfig::builder() - .with_cipher_suites(TLS_SUPPORTED_CIPHERSUITES) - .with_safe_default_kx_groups() + let mut provider = rustls::crypto::ring::default_provider(); + provider.cipher_suites = TLS_SUPPORTED_CIPHERSUITES.to_vec(); + + rustls::ClientConfig::builder_with_provider(provider.into()) .with_protocol_versions(TLS_VERSIONS) .expect("client config must be valid") // XXX: Rustls's built-in verifiers don't let us tweak things as fully @@ -44,6 +44,7 @@ pub(super) fn client_config_builder( // builder API does internally. However, we want to share the verifier // with the `Store` so that it can be used in `Store::validate` which // requires using this API. + .dangerous() .with_custom_certificate_verifier(cert_verifier) } @@ -57,12 +58,17 @@ pub(super) fn server_config( // controlling the set of trusted signature algorithms), but they provide good enough // defaults for now. // TODO: lock down the verification further. - let client_cert_verifier = Arc::new( - rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(roots), - ); - rustls::ServerConfig::builder() - .with_cipher_suites(TLS_SUPPORTED_CIPHERSUITES) - .with_safe_default_kx_groups() + let mut provider = rustls::crypto::ring::default_provider(); + provider.cipher_suites = TLS_SUPPORTED_CIPHERSUITES.to_vec(); + let provider = Arc::new(provider); + + let client_cert_verifier = + WebPkiClientVerifier::builder_with_provider(Arc::new(roots), provider.clone()) + .allow_unauthenticated() + .build() + .expect("server verifier must be valid"); + + rustls::ServerConfig::builder_with_provider(provider) .with_protocol_versions(TLS_VERSIONS) .expect("server config must be valid") .with_client_cert_verifier(client_cert_verifier) @@ -76,7 +82,7 @@ impl Store { #[allow(clippy::too_many_arguments)] pub(super) fn new( roots: rustls::RootCertStore, - server_cert_verifier: Arc, + server_cert_verifier: Arc, server_id: id::Id, server_name: dns::Name, client_tx: watch::Sender>, @@ -107,25 +113,23 @@ impl Store { /// Ensures the certificate is valid for the services we terminate for TLS. This assumes that /// server cert validation does the same or more validation than client cert validation. - fn validate(&self, certs: &[rustls::Certificate]) -> Result<()> { - let name = rustls::ServerName::try_from(self.server_name.as_str()) + fn validate(&self, certs: &[rustls::pki_types::CertificateDer<'_>]) -> Result<()> { + let name = rustls::pki_types::ServerName::try_from(self.server_name.as_str()) .expect("server name must be a valid DNS name"); static NO_OCSP: &[u8] = &[]; let end_entity = &certs[0]; let intermediates = &certs[1..]; - let no_scts = &mut std::iter::empty(); - let now = std::time::SystemTime::now(); + let now = UnixTime::now(); self.server_cert_verifier.verify_server_cert( end_entity, intermediates, &name, - no_scts, NO_OCSP, now, )?; // verify the id as the cert verifier does not do that (on purpose) - verifier::verify_id(&end_entity.0, &self.server_id).map_err(Into::into) + verifier::verify_id(end_entity, &self.server_id).map_err(Into::into) } } impl id::Credentials for Store { @@ -138,11 +142,11 @@ impl id::Credentials for Store { _expiry: std::time::SystemTime, ) -> Result<()> { let mut chain = Vec::with_capacity(intermediates.len() + 1); - chain.push(rustls::Certificate(leaf)); + chain.push(rustls::pki_types::CertificateDer::from(leaf)); chain.extend( intermediates .into_iter() - .map(|id::DerX509(der)| rustls::Certificate(der)), + .map(|id::DerX509(der)| rustls::pki_types::CertificateDer::from(der)), ); // Use the client's verifier to validate the certificate for our local name. diff --git a/linkerd/meshtls/rustls/src/creds/verify.rs b/linkerd/meshtls/rustls/src/creds/verify.rs index be7058bf57..5b78154848 100644 --- a/linkerd/meshtls/rustls/src/creds/verify.rs +++ b/linkerd/meshtls/rustls/src/creds/verify.rs @@ -1,23 +1,33 @@ -use std::convert::TryFrom; -use std::sync::Arc; -use std::time::SystemTime; +use std::{convert::TryFrom, sync::Arc}; use tokio_rustls::rustls::{ self, - client::{self, ServerCertVerified, ServerCertVerifier}, + client::{ + self, + danger::{ServerCertVerified, ServerCertVerifier}, + }, + crypto::WebPkiSupportedAlgorithms, + pki_types::{CertificateDer, ServerName, UnixTime}, server::ParsedCertificate, - Certificate, RootCertStore, ServerName, + RootCertStore, }; use tracing::trace; -pub(crate) struct AnySanVerifier(Arc); +#[derive(Debug)] +pub(crate) struct AnySanVerifier { + roots: Arc, + supported: WebPkiSupportedAlgorithms, +} impl AnySanVerifier { pub(crate) fn new(roots: impl Into>) -> Self { - Self(roots.into()) + Self { + roots: roots.into(), + supported: rustls::crypto::ring::default_provider().signature_verification_algorithms, + } } } -// This is derived from `rustls::client::WebPkiVerifier`. +// This is derived from `rustls::client::WebPkiServerVerifier`. // // Copyright (c) 2016, Joseph Birr-Pixton // https://github.com/rustls/rustls/blob/ccb79947a4811412ee7dcddcd0f51ea56bccf101/rustls/src/webpki/server_verifier.rs#L239 @@ -32,16 +42,21 @@ impl ServerCertVerifier for AnySanVerifier { /// - Not Expired fn verify_server_cert( &self, - end_entity: &Certificate, - intermediates: &[Certificate], - _: &ServerName, - _: &mut dyn Iterator, + end_entity: &CertificateDer<'_>, + intermediates: &[CertificateDer<'_>], + _: &ServerName<'_>, ocsp_response: &[u8], - now: SystemTime, + now: UnixTime, ) -> Result { let cert = ParsedCertificate::try_from(end_entity)?; - client::verify_server_cert_signed_by_trust_anchor(&cert, &self.0, intermediates, now)?; + client::verify_server_cert_signed_by_trust_anchor( + &cert, + &self.roots, + intermediates, + now, + self.supported.all, + )?; if !ocsp_response.is_empty() { trace!("Unvalidated OCSP response: {ocsp_response:?}"); @@ -49,4 +64,26 @@ impl ServerCertVerifier for AnySanVerifier { Ok(ServerCertVerified::assertion()) } + + fn verify_tls12_signature( + &self, + message: &[u8], + cert: &CertificateDer<'_>, + dss: &rustls::DigitallySignedStruct, + ) -> Result { + tokio_rustls::rustls::crypto::verify_tls12_signature(message, cert, dss, &self.supported) + } + + fn verify_tls13_signature( + &self, + message: &[u8], + cert: &CertificateDer<'_>, + dss: &rustls::DigitallySignedStruct, + ) -> Result { + tokio_rustls::rustls::crypto::verify_tls13_signature(message, cert, dss, &self.supported) + } + + fn supported_verify_schemes(&self) -> Vec { + self.supported.supported_schemes() + } } diff --git a/linkerd/meshtls/rustls/src/server.rs b/linkerd/meshtls/rustls/src/server.rs index cac87589f7..844830e1ee 100644 --- a/linkerd/meshtls/rustls/src/server.rs +++ b/linkerd/meshtls/rustls/src/server.rs @@ -7,7 +7,7 @@ use linkerd_tls::{ClientId, NegotiatedProtocol, NegotiatedProtocolRef, ServerNam use std::{pin::Pin, sync::Arc, task::Context}; use thiserror::Error; use tokio::sync::watch; -use tokio_rustls::rustls::{Certificate, ServerConfig}; +use tokio_rustls::rustls::{pki_types::CertificateDer, ServerConfig}; use tracing::debug; /// A Service that terminates TLS connections using a dynamically updated server configuration. @@ -129,7 +129,7 @@ where fn client_identity(tls: &tokio_rustls::server::TlsStream) -> Option { let (_io, session) = tls.get_ref(); let certs = session.peer_certificates()?; - let c = certs.first().map(Certificate::as_ref)?; + let c = certs.first().map(CertificateDer::as_ref)?; verifier::client_identity(c).map(ClientId) } From bb0e755b71bef652e210baf2286e34a1ca5c03b9 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Fri, 6 Dec 2024 19:14:03 +0000 Subject: [PATCH 2/4] chore(cargo): resync cargo.lock with main --- Cargo.lock | 68 +++++++++++++++++++++++++----------------------------- 1 file changed, 32 insertions(+), 36 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index db18637a44..544e3f1c34 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -62,9 +62,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.93" +version = "1.0.94" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c95c10ba0b00a02636238b814946408b1322d5ac4760326e6fb8ec956d85775" +checksum = "c1fd03a028ef38ba2276dce7e33fcd6369c158a1bca17946c4b1b701891c1ff7" [[package]] name = "arbitrary" @@ -317,9 +317,9 @@ checksum = "325918d6fe32f23b19878fe4b34794ae41fc19ddbe53b10571a4874d44ffd39b" [[package]] name = "cc" -version = "1.2.1" +version = "1.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd9de9f2205d5ef3fd67e685b0df337994ddd4495e2a28d185500d0e1edfea47" +checksum = "f34d93e62b03caf570cccc334cbc6c2fceca82f39211051345108adcba3eebdc" dependencies = [ "jobserver", "libc", @@ -540,9 +540,9 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.9" +version = "0.3.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" +checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d" dependencies = [ "libc", "windows-sys 0.52.0", @@ -807,7 +807,7 @@ dependencies = [ "futures-sink", "futures-util", "http", - "indexmap 2.6.0", + "indexmap 2.7.0", "slab", "tokio", "tokio-util", @@ -942,9 +942,9 @@ checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" [[package]] name = "hyper" -version = "0.14.28" +version = "0.14.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf96e135eb83a2a8ddf766e426a841d8ddd7449d5f00d34ea02b41d2f19eef80" +checksum = "8c08302e8fa335b151b788c775ff56e7a03ae64ff85c548ee820fecb70356e85" dependencies = [ "bytes", "futures-channel", @@ -1150,9 +1150,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.6.0" +version = "2.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "707907fe3c25f5424cce2cb7e1cbcafee6bdbe735ca90ef77c29e84591e5b9da" +checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f" dependencies = [ "equivalent", "hashbrown 0.15.2", @@ -1255,9 +1255,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.165" +version = "0.2.167" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fcb4d3d38eab6c5239a362fa8bae48c03baf980a6e7079f063942d563ef3533e" +checksum = "09d6582e104315a817dff97f75133544b2e094ee22447d2acf4a74e189ba06fc" [[package]] name = "libfuzzer-sys" @@ -1271,9 +1271,9 @@ dependencies = [ [[package]] name = "libloading" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" +checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34" dependencies = [ "cfg-if", "windows-targets 0.52.0", @@ -2087,7 +2087,7 @@ dependencies = [ "ahash", "futures", "futures-util", - "indexmap 2.6.0", + "indexmap 2.7.0", "linkerd-error", "linkerd-metrics", "linkerd-pool", @@ -2806,11 +2806,10 @@ dependencies = [ [[package]] name = "mio" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec" +checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd" dependencies = [ - "hermit-abi", "libc", "wasi", "windows-sys 0.52.0", @@ -2946,16 +2945,16 @@ dependencies = [ [[package]] name = "opentelemetry" -version = "0.27.0" +version = "0.27.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f3cebff57f7dbd1255b44d8bddc2cebeb0ea677dbaa2e25a3070a91b318f660" +checksum = "ab70038c28ed37b97d8ed414b6429d343a8bbf44c9f79ec854f3a643029ba6d7" dependencies = [ "futures-core", "futures-sink", "js-sys", - "once_cell", "pin-project-lite", "thiserror", + "tracing", ] [[package]] @@ -2971,15 +2970,13 @@ dependencies = [ [[package]] name = "opentelemetry_sdk" -version = "0.27.0" +version = "0.27.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "27b742c1cae4693792cc564e58d75a2a0ba29421a34a85b50da92efa89ecb2bc" +checksum = "231e9d6ceef9b0b2546ddf52335785ce41252bc7474ee8ba05bfad277be13ab8" dependencies = [ - "async-trait", "futures-channel", "futures-executor", "futures-util", - "once_cell", "opentelemetry", "percent-encoding", "rand", @@ -3044,7 +3041,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db" dependencies = [ "fixedbitset", - "indexmap 2.6.0", + "indexmap 2.7.0", ] [[package]] @@ -3587,9 +3584,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "socket2" -version = "0.5.7" +version = "0.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce305eb0b4296696835b71df73eb912e0f1ffd2556a501fcede6e0c50349191c" +checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8" dependencies = [ "libc", "windows-sys 0.52.0", @@ -3658,9 +3655,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.89" +version = "2.0.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44d46482f1c1c87acd84dea20c1bf5ebff4c757009ed6bf19cfd36fb10e92c4e" +checksum = "919d3b74a5dd0ccd15aeb8f93e7006bd9e14c295087c9896a110f490752bcf31" dependencies = [ "proc-macro2", "quote", @@ -3795,9 +3792,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.41.1" +version = "1.42.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22cfb5bee7a6a52939ca9224d6ac897bb669134078daa8735560897f69de4d33" +checksum = "5cec9b21b0450273377fc97bd4c33a8acffc8c996c987a7c5b319a0083707551" dependencies = [ "backtrace", "bytes", @@ -3857,12 +3854,11 @@ dependencies = [ [[package]] name = "tokio-rustls" -version = "0.26.0" +version = "0.26.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" +checksum = "5f6d0975eaace0cf0fcadee4e4aaa5da15b5c079146f2cffb67c113be122bf37" dependencies = [ "rustls", - "rustls-pki-types", "tokio", ] From 26ee589081dcd36d1b4e56f1d83db7ed6ace9bdd Mon Sep 17 00:00:00 2001 From: Scott Fleener Date: Tue, 10 Dec 2024 06:31:11 +0000 Subject: [PATCH 3/4] chore(deps): Upgrade tokio-rustls to 0.26 This bumps rustls itself from 0.21 to 0.23, which comes with a few breaking API changes. Most of these are limited to types being moved or renamed, or how the certificate verifiers are constructed. Signed-off-by: Scott Fleener --- Cargo.lock | 64 ++++++++++++---------- linkerd/meshtls/rustls/Cargo.toml | 1 + linkerd/meshtls/rustls/src/creds.rs | 44 +++++++++------ linkerd/meshtls/rustls/src/creds/store.rs | 11 +--- linkerd/meshtls/rustls/src/creds/verify.rs | 14 ++--- 5 files changed, 72 insertions(+), 62 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 544e3f1c34..2c06e89f56 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -62,9 +62,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.94" +version = "1.0.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1fd03a028ef38ba2276dce7e33fcd6369c158a1bca17946c4b1b701891c1ff7" +checksum = "4c95c10ba0b00a02636238b814946408b1322d5ac4760326e6fb8ec956d85775" [[package]] name = "arbitrary" @@ -317,9 +317,9 @@ checksum = "325918d6fe32f23b19878fe4b34794ae41fc19ddbe53b10571a4874d44ffd39b" [[package]] name = "cc" -version = "1.2.2" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f34d93e62b03caf570cccc334cbc6c2fceca82f39211051345108adcba3eebdc" +checksum = "fd9de9f2205d5ef3fd67e685b0df337994ddd4495e2a28d185500d0e1edfea47" dependencies = [ "jobserver", "libc", @@ -540,9 +540,9 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.10" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d" +checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" dependencies = [ "libc", "windows-sys 0.52.0", @@ -807,7 +807,7 @@ dependencies = [ "futures-sink", "futures-util", "http", - "indexmap 2.7.0", + "indexmap 2.6.0", "slab", "tokio", "tokio-util", @@ -942,9 +942,9 @@ checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" [[package]] name = "hyper" -version = "0.14.31" +version = "0.14.28" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8c08302e8fa335b151b788c775ff56e7a03ae64ff85c548ee820fecb70356e85" +checksum = "bf96e135eb83a2a8ddf766e426a841d8ddd7449d5f00d34ea02b41d2f19eef80" dependencies = [ "bytes", "futures-channel", @@ -1150,9 +1150,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.7.0" +version = "2.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f" +checksum = "707907fe3c25f5424cce2cb7e1cbcafee6bdbe735ca90ef77c29e84591e5b9da" dependencies = [ "equivalent", "hashbrown 0.15.2", @@ -1255,9 +1255,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55" [[package]] name = "libc" -version = "0.2.167" +version = "0.2.165" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09d6582e104315a817dff97f75133544b2e094ee22447d2acf4a74e189ba06fc" +checksum = "fcb4d3d38eab6c5239a362fa8bae48c03baf980a6e7079f063942d563ef3533e" [[package]] name = "libfuzzer-sys" @@ -1271,9 +1271,9 @@ dependencies = [ [[package]] name = "libloading" -version = "0.8.6" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34" +checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", "windows-targets 0.52.0", @@ -1986,6 +1986,7 @@ dependencies = [ "linkerd-tls-test-util", "ring", "rustls-pemfile", + "rustls-webpki", "thiserror", "tokio", "tokio-rustls", @@ -2087,7 +2088,7 @@ dependencies = [ "ahash", "futures", "futures-util", - "indexmap 2.7.0", + "indexmap 2.6.0", "linkerd-error", "linkerd-metrics", "linkerd-pool", @@ -2806,10 +2807,11 @@ dependencies = [ [[package]] name = "mio" -version = "1.0.3" +version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd" +checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec" dependencies = [ + "hermit-abi", "libc", "wasi", "windows-sys 0.52.0", @@ -2945,16 +2947,16 @@ dependencies = [ [[package]] name = "opentelemetry" -version = "0.27.1" +version = "0.27.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab70038c28ed37b97d8ed414b6429d343a8bbf44c9f79ec854f3a643029ba6d7" +checksum = "0f3cebff57f7dbd1255b44d8bddc2cebeb0ea677dbaa2e25a3070a91b318f660" dependencies = [ "futures-core", "futures-sink", "js-sys", + "once_cell", "pin-project-lite", "thiserror", - "tracing", ] [[package]] @@ -2970,13 +2972,15 @@ dependencies = [ [[package]] name = "opentelemetry_sdk" -version = "0.27.1" +version = "0.27.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "231e9d6ceef9b0b2546ddf52335785ce41252bc7474ee8ba05bfad277be13ab8" +checksum = "27b742c1cae4693792cc564e58d75a2a0ba29421a34a85b50da92efa89ecb2bc" dependencies = [ + "async-trait", "futures-channel", "futures-executor", "futures-util", + "once_cell", "opentelemetry", "percent-encoding", "rand", @@ -3041,7 +3045,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db" dependencies = [ "fixedbitset", - "indexmap 2.7.0", + "indexmap 2.6.0", ] [[package]] @@ -3584,9 +3588,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "socket2" -version = "0.5.8" +version = "0.5.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8" +checksum = "ce305eb0b4296696835b71df73eb912e0f1ffd2556a501fcede6e0c50349191c" dependencies = [ "libc", "windows-sys 0.52.0", @@ -3655,9 +3659,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.90" +version = "2.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "919d3b74a5dd0ccd15aeb8f93e7006bd9e14c295087c9896a110f490752bcf31" +checksum = "44d46482f1c1c87acd84dea20c1bf5ebff4c757009ed6bf19cfd36fb10e92c4e" dependencies = [ "proc-macro2", "quote", @@ -3792,9 +3796,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.42.0" +version = "1.41.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5cec9b21b0450273377fc97bd4c33a8acffc8c996c987a7c5b319a0083707551" +checksum = "22cfb5bee7a6a52939ca9224d6ac897bb669134078daa8735560897f69de4d33" dependencies = [ "backtrace", "bytes", diff --git a/linkerd/meshtls/rustls/Cargo.toml b/linkerd/meshtls/rustls/Cargo.toml index 13367c5e35..b89fcf2195 100644 --- a/linkerd/meshtls/rustls/Cargo.toml +++ b/linkerd/meshtls/rustls/Cargo.toml @@ -13,6 +13,7 @@ test-util = ["linkerd-tls-test-util"] futures = { version = "0.3", default-features = false } ring = { version = "0.17", features = ["std"] } rustls-pemfile = "2.2" +rustls-webpki = { version = "0.102.8", features = ["std"] } thiserror = "1" tokio = { version = "1", features = ["macros", "rt", "sync"] } tokio-rustls = { workspace = true } diff --git a/linkerd/meshtls/rustls/src/creds.rs b/linkerd/meshtls/rustls/src/creds.rs index 00b0d7f6a6..cd0fe7f2c1 100644 --- a/linkerd/meshtls/rustls/src/creds.rs +++ b/linkerd/meshtls/rustls/src/creds.rs @@ -10,7 +10,7 @@ use ring::error::KeyRejected; use std::sync::Arc; use thiserror::Error; use tokio::sync::watch; -use tokio_rustls::rustls; +use tokio_rustls::rustls::{self, crypto::CryptoProvider}; use tracing::warn; #[derive(Debug, Error)] @@ -27,20 +27,19 @@ pub fn watch( roots_pem: &str, ) -> Result<(Store, Receiver)> { let mut roots = rustls::RootCertStore::empty(); - let mut certs = vec![]; - for cert in rustls_pemfile::certs(&mut std::io::Cursor::new(roots_pem)) { - match cert { - Err(error) => { - warn!(%error, "invalid trust anchors file"); - return Err(error.into()); - } - Ok(cert) => certs.push(cert), - }; - } - if certs.is_empty() { - warn!("no valid certs in trust anchors file"); - return Err("no trust roots in PEM file".into()); - } + let certs = match rustls_pemfile::certs(&mut std::io::Cursor::new(roots_pem)) + .collect::, _>>() + { + Err(error) => { + warn!(%error, "invalid trust anchors file"); + return Err(error.into()); + } + Ok(certs) if certs.is_empty() => { + warn!("no valid certs in trust anchors file"); + return Err("no trust roots in PEM file".into()); + } + Ok(certs) => certs, + }; let (added, skipped) = roots.add_parsable_certificates(certs); if skipped != 0 { @@ -91,6 +90,12 @@ pub fn watch( Ok((store, rx)) } +fn default_provider() -> CryptoProvider { + let mut provider = rustls::crypto::ring::default_provider(); + provider.cipher_suites = params::TLS_SUPPORTED_CIPHERSUITES.to_vec(); + provider +} + #[cfg(feature = "test-util")] pub fn for_test(ent: &linkerd_tls_test_util::Entity) -> (Store, Receiver) { watch( @@ -107,7 +112,7 @@ pub fn default_for_test() -> (Store, Receiver) { } mod params { - use tokio_rustls::rustls; + use tokio_rustls::rustls::{self, crypto::WebPkiSupportedAlgorithms}; // These must be kept in sync: pub static SIGNATURE_ALG_RING_SIGNING: &ring::signature::EcdsaSigningAlgorithm = @@ -116,6 +121,13 @@ mod params { rustls::SignatureScheme::ECDSA_NISTP256_SHA256; pub const SIGNATURE_ALG_RUSTLS_ALGORITHM: rustls::SignatureAlgorithm = rustls::SignatureAlgorithm::ECDSA; + pub static SUPPORTED_SIG_ALGS: &WebPkiSupportedAlgorithms = &WebPkiSupportedAlgorithms { + all: &[webpki::ring::ECDSA_P256_SHA256], + mapping: &[( + SIGNATURE_ALG_RUSTLS_SCHEME, + &[webpki::ring::ECDSA_P256_SHA256], + )], + }; pub static TLS_VERSIONS: &[&rustls::SupportedProtocolVersion] = &[&rustls::version::TLS13]; pub static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] = &[rustls::crypto::ring::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256]; diff --git a/linkerd/meshtls/rustls/src/creds/store.rs b/linkerd/meshtls/rustls/src/creds/store.rs index 44531106e8..ee1f686a4c 100644 --- a/linkerd/meshtls/rustls/src/creds/store.rs +++ b/linkerd/meshtls/rustls/src/creds/store.rs @@ -1,4 +1,4 @@ -use super::{params::*, InvalidKey}; +use super::{default_provider, params::*, InvalidKey}; use linkerd_dns_name as dns; use linkerd_error::Result; use linkerd_identity as id; @@ -28,10 +28,7 @@ struct CertResolver(Arc); pub(super) fn client_config_builder( cert_verifier: Arc, ) -> rustls::ConfigBuilder { - let mut provider = rustls::crypto::ring::default_provider(); - provider.cipher_suites = TLS_SUPPORTED_CIPHERSUITES.to_vec(); - - rustls::ClientConfig::builder_with_provider(provider.into()) + rustls::ClientConfig::builder_with_provider(Arc::new(default_provider())) .with_protocol_versions(TLS_VERSIONS) .expect("client config must be valid") // XXX: Rustls's built-in verifiers don't let us tweak things as fully @@ -58,9 +55,7 @@ pub(super) fn server_config( // controlling the set of trusted signature algorithms), but they provide good enough // defaults for now. // TODO: lock down the verification further. - let mut provider = rustls::crypto::ring::default_provider(); - provider.cipher_suites = TLS_SUPPORTED_CIPHERSUITES.to_vec(); - let provider = Arc::new(provider); + let provider = Arc::new(default_provider()); let client_cert_verifier = WebPkiClientVerifier::builder_with_provider(Arc::new(roots), provider.clone()) diff --git a/linkerd/meshtls/rustls/src/creds/verify.rs b/linkerd/meshtls/rustls/src/creds/verify.rs index 5b78154848..42adeb75e2 100644 --- a/linkerd/meshtls/rustls/src/creds/verify.rs +++ b/linkerd/meshtls/rustls/src/creds/verify.rs @@ -1,3 +1,4 @@ +use crate::creds::params::SUPPORTED_SIG_ALGS; use std::{convert::TryFrom, sync::Arc}; use tokio_rustls::rustls::{ self, @@ -5,7 +6,6 @@ use tokio_rustls::rustls::{ self, danger::{ServerCertVerified, ServerCertVerifier}, }, - crypto::WebPkiSupportedAlgorithms, pki_types::{CertificateDer, ServerName, UnixTime}, server::ParsedCertificate, RootCertStore, @@ -15,14 +15,12 @@ use tracing::trace; #[derive(Debug)] pub(crate) struct AnySanVerifier { roots: Arc, - supported: WebPkiSupportedAlgorithms, } impl AnySanVerifier { pub(crate) fn new(roots: impl Into>) -> Self { Self { roots: roots.into(), - supported: rustls::crypto::ring::default_provider().signature_verification_algorithms, } } } @@ -30,7 +28,7 @@ impl AnySanVerifier { // This is derived from `rustls::client::WebPkiServerVerifier`. // // Copyright (c) 2016, Joseph Birr-Pixton -// https://github.com/rustls/rustls/blob/ccb79947a4811412ee7dcddcd0f51ea56bccf101/rustls/src/webpki/server_verifier.rs#L239 +// https://github.com/rustls/rustls/blob/v/0.23.15/rustls/src/webpki/server_verifier.rs#L134 // // The only difference is that we omit the step that performs // DNS SAN validation. The reason for that stems from the fact that @@ -55,7 +53,7 @@ impl ServerCertVerifier for AnySanVerifier { &self.roots, intermediates, now, - self.supported.all, + SUPPORTED_SIG_ALGS.all, )?; if !ocsp_response.is_empty() { @@ -71,7 +69,7 @@ impl ServerCertVerifier for AnySanVerifier { cert: &CertificateDer<'_>, dss: &rustls::DigitallySignedStruct, ) -> Result { - tokio_rustls::rustls::crypto::verify_tls12_signature(message, cert, dss, &self.supported) + tokio_rustls::rustls::crypto::verify_tls12_signature(message, cert, dss, SUPPORTED_SIG_ALGS) } fn verify_tls13_signature( @@ -80,10 +78,10 @@ impl ServerCertVerifier for AnySanVerifier { cert: &CertificateDer<'_>, dss: &rustls::DigitallySignedStruct, ) -> Result { - tokio_rustls::rustls::crypto::verify_tls13_signature(message, cert, dss, &self.supported) + tokio_rustls::rustls::crypto::verify_tls13_signature(message, cert, dss, SUPPORTED_SIG_ALGS) } fn supported_verify_schemes(&self) -> Vec { - self.supported.supported_schemes() + SUPPORTED_SIG_ALGS.supported_schemes() } } From c88c1ff9bfc7f16caf6d0a33e1ec23d605bb4839 Mon Sep 17 00:00:00 2001 From: Scott Fleener Date: Tue, 10 Dec 2024 15:12:43 +0000 Subject: [PATCH 4/4] Fix Cargo.lock and default-features This seems to have been causing build/fetch errors in CI. Signed-off-by: Scott Fleener --- Cargo.lock | 54 +++++++++++++++++++++++++----------------------------- Cargo.toml | 2 +- 2 files changed, 26 insertions(+), 30 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index aa83b03614..bc6a125c12 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -62,9 +62,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.93" +version = "1.0.94" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4c95c10ba0b00a02636238b814946408b1322d5ac4760326e6fb8ec956d85775" +checksum = "c1fd03a028ef38ba2276dce7e33fcd6369c158a1bca17946c4b1b701891c1ff7" [[package]] name = "arbitrary" @@ -540,9 +540,9 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.9" +version = "0.3.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" +checksum = "33d852cb9b869c2a9b3df2f71a3074817f01e1844f839a144f5fcef059a4eb5d" dependencies = [ "libc", "windows-sys 0.52.0", @@ -807,7 +807,7 @@ dependencies = [ "futures-sink", "futures-util", "http", - "indexmap 2.6.0", + "indexmap 2.7.0", "slab", "tokio", "tokio-util", @@ -942,9 +942,9 @@ checksum = "9a3a5bfb195931eeb336b2a7b4d761daec841b97f947d34394601737a7bba5e4" [[package]] name = "hyper" -version = "0.14.28" +version = "0.14.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf96e135eb83a2a8ddf766e426a841d8ddd7449d5f00d34ea02b41d2f19eef80" +checksum = "8c08302e8fa335b151b788c775ff56e7a03ae64ff85c548ee820fecb70356e85" dependencies = [ "bytes", "futures-channel", @@ -1150,9 +1150,9 @@ dependencies = [ [[package]] name = "indexmap" -version = "2.6.0" +version = "2.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "707907fe3c25f5424cce2cb7e1cbcafee6bdbe735ca90ef77c29e84591e5b9da" +checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f" dependencies = [ "equivalent", "hashbrown 0.15.2", @@ -1271,9 +1271,9 @@ dependencies = [ [[package]] name = "libloading" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" +checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34" dependencies = [ "cfg-if", "windows-targets 0.52.0", @@ -2088,7 +2088,7 @@ dependencies = [ "ahash", "futures", "futures-util", - "indexmap 2.6.0", + "indexmap 2.7.0", "linkerd-error", "linkerd-metrics", "linkerd-pool", @@ -2807,11 +2807,10 @@ dependencies = [ [[package]] name = "mio" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "80e04d1dcff3aae0704555fe5fee3bcfaf3d1fdf8a7e521d5b9d2b42acb52cec" +checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd" dependencies = [ - "hermit-abi", "libc", "wasi", "windows-sys 0.52.0", @@ -2947,14 +2946,13 @@ dependencies = [ [[package]] name = "opentelemetry" -version = "0.27.0" +version = "0.27.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0f3cebff57f7dbd1255b44d8bddc2cebeb0ea677dbaa2e25a3070a91b318f660" +checksum = "ab70038c28ed37b97d8ed414b6429d343a8bbf44c9f79ec854f3a643029ba6d7" dependencies = [ "futures-core", "futures-sink", "js-sys", - "once_cell", "pin-project-lite", "thiserror 1.0.69", "tracing", @@ -2973,15 +2971,13 @@ dependencies = [ [[package]] name = "opentelemetry_sdk" -version = "0.27.0" +version = "0.27.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "27b742c1cae4693792cc564e58d75a2a0ba29421a34a85b50da92efa89ecb2bc" +checksum = "231e9d6ceef9b0b2546ddf52335785ce41252bc7474ee8ba05bfad277be13ab8" dependencies = [ - "async-trait", "futures-channel", "futures-executor", "futures-util", - "once_cell", "opentelemetry", "percent-encoding", "rand", @@ -3046,7 +3042,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db" dependencies = [ "fixedbitset", - "indexmap 2.6.0", + "indexmap 2.7.0", ] [[package]] @@ -3589,9 +3585,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" [[package]] name = "socket2" -version = "0.5.7" +version = "0.5.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ce305eb0b4296696835b71df73eb912e0f1ffd2556a501fcede6e0c50349191c" +checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8" dependencies = [ "libc", "windows-sys 0.52.0", @@ -3660,9 +3656,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.89" +version = "2.0.90" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "44d46482f1c1c87acd84dea20c1bf5ebff4c757009ed6bf19cfd36fb10e92c4e" +checksum = "919d3b74a5dd0ccd15aeb8f93e7006bd9e14c295087c9896a110f490752bcf31" dependencies = [ "proc-macro2", "quote", @@ -3817,9 +3813,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.41.1" +version = "1.42.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22cfb5bee7a6a52939ca9224d6ac897bb669134078daa8735560897f69de4d33" +checksum = "5cec9b21b0450273377fc97bd4c33a8acffc8c996c987a7c5b319a0083707551" dependencies = [ "backtrace", "bytes", diff --git a/Cargo.toml b/Cargo.toml index 5ae61e2c83..1990bda881 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -98,5 +98,5 @@ lto = true [workspace.dependencies] linkerd2-proxy-api = "0.15.0" -tokio-rustls = { version = "0.26", default_features = false, features = ["ring", "logging"] } +tokio-rustls = { version = "0.26", default-features = false, features = ["ring", "logging"] } # linkerd2-proxy-api = { git = "https://github.com/linkerd/linkerd2-proxy-api.git", branch = "main" }